Estimate Time5 min

5 steps to take after a data breach

Key takeaways

  • If your personal information is compromised in a data breach, consider putting a fraud alert on your credit reports or you can even freeze your credit.
  • Sign up for security alerts on your financial accounts. You can get text or email notifications for any transactions or changes to your account.
  • Review your accounts and your credit reports regularly to look for signs of anything that could be amiss.

Even the tightest digital security at the biggest corporations or governments can be foiled by hackers intent on stealing personal information.

And it doesn't necessarily take a criminal mastermind to infiltrate the sophisticated data security employed by big businesses. The hole in security for corporations and governments is often the same as it for individuals—human error.

In 2022, roughly 1 in 5 data breaches were caused by compromised passwords. Phishing, malicious insiders, and social engineering are other common methods of attack, according to a recent report from IBM. The global average cost of a data breach was $4.35 million in 2022.*

The haul criminals get from such activities includes the personal information of individuals including Social Security numbers, names and addresses, email addresses, and login credentials.

For individuals affected by data breaches, the damage can be nearly ruinous—both financially and emotionally.

"Now more than ever, keeping track of your personal data to the best of your ability is critical. Taking steps to bolster your own digital security can help," says Brad Thibodeau, squad leader in Fidelity’s digital security experience.

5 things to do if your information is stolen in a data breach

1. Try to find out what pieces of your information may have been stolen. Loss of personal information like your Social Security number may require more action than the loss of a credit card number.

While a credit card can be canceled and replaced, if your Social Security number is compromised, you may need to closely monitor your credit reports and review your work history with the Social Security Administration. The website offers a portal for reporting the theft to the Federal Trade Commission (FTC) and steps for recovery.

2. Request and review your credit reports. You're entitled by federal law to a free annual credit report from each of the 3 major credit reporting agencies: Equifax®, Experian®, and TransUnion®. When you check your report, keep an eye out for anything amiss. Consider checking one report every 4 months to keep regular tabs on your credit. If you find any mistakes, from an incorrect address or misspelling to unknown accounts and misreported information, open a dispute with the credit reporting agency. Be sure to include any supporting documentation you may have.

3. Consider adding a fraud alert to your file with the credit reporting agencies. If you initiate a fraud alert with one credit agency, it will send the information to the other 2 agencies. A fraud alert will stay on your file for 90 days and potential lenders will be informed that you should be contacted before they extend any credit or loans.

A credit freeze is another step you could take. It's a little more intense—no one will be able to access your credit report unless you unfreeze it.

4. Review your accounts monthly. Check your bank, investing, and credit card accounts at least once a month and make sure you recognize all the transactions.

If you spot something amiss, it's important to notify the financial institution immediately.

  • You are not liable for unauthorized use of a stolen credit card number according to the FTC.
  • If your debit card number is stolen and used fraudulently, you're also protected from liability as long as you report the unauthorized transactions within 60 days of the statement being sent to you. If your physical debit card is stolen or lost, the rules are a little different and your maximum loss may be higher.

5. Sign up for security alerts and email notifications when offered. If someone tries to access your account or make a purchase with a compromised card, you'll get a text or email.

If you didn't initiate the transactions or make any changes to your account, notify the financial institution right away.

Think about your own data security

In the age of social media, identity thieves can glean a lot of information from your social presence. If you're targeted, they may know just enough about you to make their story believable. Keep an eye on your profiles and carefully consider who can see your social media activity.

Consider implementing these best practices to keep your information private and your accounts secure.

Don't click unknown links in emails, texts, or other electronic messages

Clicking a suspicious link in an email is the root cause of the majority of successful cyberattacks. It's called phishing and it's the reason why it's critical that you evaluate each and every link you're asked to click in an email, text, or other message.

Vishing is related to phishing. Instead of email, fraudsters call your phone and convince you to give up sensitive personal information or to follow a link they send which can then upload malware to your device. Anyone can fall for social engineering under the right circumstances. They may tell you that your grandchild is in jail or kidnapped, that your bank account has been hacked, or that you're being accused of a crime. It's always designed to scare you and make you act quickly. To fight back, hang up and investigate the story you were told.

Add 2-factor authentication when offered

Adding an additional layer of security when you access your accounts, called 2-factor authentication, is a strong defense against most common attacks. It requires you to enter a unique security code, randomly generated and sent to your phone or other mobile device by the business or application you're trying to login to, plus your standard login ID and password. Consider enabling it on any accounts that offer it.

Your mobile phone number is a requirement for 2-factor authentication as it is generally used to secure your online access.

Go long and stay strong

Use a different password for every application and website. What constitutes a good password?

Length (10 or more characters) and complexity (combination of special letters and numbers) help make passwords more unique. A string of unrelated words with numbers and special characters in between is best. Stay away from single dictionary words or common combinations of words.

Use a password manager app to generate and store all your passwords in a secure environment.

The cost of state-of-the-art password managers is negligible—especially when compared with the convenience and security they provide.

Keep operating systems updated and back up your devices

Today, most operating systems let you set your preferences to automatically install updates and patches as soon as they are available. That goes for software too, including antivirus protection. Don't forget to update your mobile phones and tablets, and the apps installed on them. You can set update preferences to do this automatically on your devices.

It can also make sense to back up the data on your devices regularly. If your own device is breached, it will help you access and restore any information that may have been compromised.

Stay safe at Fidelity

Fidelity uses sophisticated security measures to protect our customers. We also make many additional security tools available for customers to utilize, including 2-factor authentication and transaction alerts. Of course, we also provide a Customer Protection Guarantee for fraudulent activity. Make sure to visit Fidelity's online customer security site to explore some of these features, and learn more about what Fidelity is doing to help keep your assets safe.

Keep your documents safe—for free

Store, access, and share digital copies of your family's most important documents with FidSafe®.

More to explore

*Cost of a data breach report 2022, Information presented herein is for discussion and illustrative purposes only and is not a recommendation or an offer or solicitation to buy or sell any securities. Views expressed are as of the date indicated, based on the information available at that time, and may change based on market and other conditions. Unless otherwise noted, the opinions provided are those of the authors and not necessarily those of Fidelity Investments or its affiliates. Fidelity does not assume any duty to update any of the information.

The third parties mentioned herein and Fidelity Investments are independent entities and are not legally affiliated.

Third-party marks are the property of their respective owners; all other marks are the property of FMR LLC.

Fidelity Brokerage Services LLC, Member NYSE, SIPC, 900 Salem Street, Smithfield, RI 02917